upgrade
Output Kubernetes configs to upgrade an existing Linkerd control plane.
Note that the default flag values for this command come from the Linkerd control plane. The default values displayed in the Flags section below only apply to the install command.
Examples
# Default upgrade.
linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd -f -
# Similar to install, upgrade may also be broken up into two stages, by user
# privilege.Flags
| Flag | Usage |
|---|---|
--admin-port | Proxy port to serve metrics on |
--control-plane-tracing | Enables Control Plane Tracing with the defaults |
--control-plane-version | (Development) Tag to be used for the control plane component images |
--control-port | Proxy port to use for control |
--controller-log-level | Log level for the controller and web components |
--controller-replicas | Replicas of the controller to deploy |
--controller-uid | Run the control plane components under this user ID |
--disable-h2-upgrade | Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false) |
--disable-heartbeat | Disables the heartbeat cronjob (default false) |
--enable-external-profiles | Enable service profiles for non-Kubernetes services |
--force | Force upgrade operation even when issuer certificate does not work with the trust anchors of all proxies |
--from-manifests | Read config from a Linkerd install YAML rather than from Kubernetes |
--ha | Enable HA deployment config for the control plane (default false) |
--identity-clock-skew-allowance | The amount of time to allow for clock skew within a Linkerd cluster |
--identity-issuance-lifetime | The amount of time for which the Identity issuer should certify identity |
--identity-issuer-certificate-file | A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default) |
--identity-issuer-key-file | A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default) |
--identity-trust-anchors-file | A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default) |
--image-pull-policy | Docker image pull policy |
--inbound-port | Proxy port to use for inbound traffic |
--init-image | Linkerd init container image name |
--init-image-version | Linkerd init container image version |
--linkerd-cni-enabled | Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed |
--omit-webhook-side-effects | Omit the sideEffects flag in the webhook manifests, This flag must be provided during install or upgrade for Kubernetes versions pre 1.12 |
--outbound-port | Proxy port to use for outbound traffic |
--proxy-cpu | Amount of CPU units that the proxy sidecar requests |
--proxy-cpu-limit | Maximum amount of CPU units that the proxy sidecar can use |
--proxy-cpu-request | Amount of CPU units that the proxy sidecar requests |
--proxy-image | Linkerd proxy container image name |
--proxy-log-level | Log level for the proxy |
--proxy-memory | Amount of Memory that the proxy sidecar requests |
--proxy-memory-limit | Maximum amount of Memory that the proxy sidecar can use |
--proxy-memory-request | Amount of Memory that the proxy sidecar requests |
--proxy-uid | Run the proxy under this user ID |
--proxy-version-v | Tag to be used for the Linkerd proxy images |
--registry | Docker registry to pull images from |
--restrict-dashboard-privileges | Restrict the Linkerd Dashboard’s default privileges to disallow Tap and Check |
--skip-inbound-ports | Ports and/or port ranges (inclusive) that should skip the proxy and send directly to the application |
--skip-outbound-ports | Outbound ports and/or port ranges (inclusive) that should skip the proxy |
Subcommands
Upgrade supports subcommands as part of the Multi-stage install feature.
config
Output Kubernetes cluster-wide resources to upgrade an existing Linkerd.
Note that this command should be followed by “linkerd upgrade control-plane”.
Examples
# Default upgrade.
linkerd upgrade config | kubectl apply -f -Flags
| Flag | Usage |
|---|---|
--linkerd-cni-enabled | Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed |
--restrict-dashboard-privileges | Restrict the Linkerd Dashboard’s default privileges to disallow Tap and Check |
control-plane
Output Kubernetes control plane resources to upgrade an existing Linkerd.
Note that the default flag values for this command come from the Linkerd control plane. The default values displayed in the Flags section below only apply to the install command. It should be run after “linkerd upgrade config”.
Examples
# Default upgrade.
linkerd upgrade control-plane | kubectl apply -f -Flags
| Flag | Usage |
|---|---|
--admin-port | Proxy port to serve metrics on |
--control-plane-tracing | Enables Control Plane Tracing with the defaults |
--control-plane-version | (Development) Tag to be used for the control plane component images |
--control-port | Proxy port to use for control |
--controller-log-level | Log level for the controller and web components |
--controller-replicas | Replicas of the controller to deploy |
--controller-uid | Run the control plane components under this user ID |
--disable-h2-upgrade | Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false) |
--disable-heartbeat | Disables the heartbeat cronjob (default false) |
--enable-external-profiles | Enable service profiles for non-Kubernetes services |
--ha | Enable HA deployment config for the control plane (default false) |
--identity-clock-skew-allowance | The amount of time to allow for clock skew within a Linkerd cluster |
--identity-issuance-lifetime | The amount of time for which the Identity issuer should certify identity |
--identity-issuer-certificate-file | A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default) |
--identity-issuer-key-file | A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default) |
--identity-trust-anchors-file | A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default) |
--image-pull-policy | Docker image pull policy |
--inbound-port | Proxy port to use for inbound traffic |
--init-image | Linkerd init container image name |
--init-image-version | Linkerd init container image version |
--linkerd-cni-enabled | Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed |
--omit-webhook-side-effects | Omit the sideEffects flag in the webhook manifests, This flag must be provided during install or upgrade for Kubernetes versions pre 1.12 |
--outbound-port | Proxy port to use for outbound traffic |
--proxy-cpu | Amount of CPU units that the proxy sidecar requests |
--proxy-cpu-limit | Maximum amount of CPU units that the proxy sidecar can use |
--proxy-cpu-request | Amount of CPU units that the proxy sidecar requests |
--proxy-image | Linkerd proxy container image name |
--proxy-log-level | Log level for the proxy |
--proxy-memory | Amount of Memory that the proxy sidecar requests |
--proxy-memory-limit | Maximum amount of Memory that the proxy sidecar can use |
--proxy-memory-request | Amount of Memory that the proxy sidecar requests |
--proxy-uid | Run the proxy under this user ID |
--proxy-version-v | Tag to be used for the Linkerd proxy images |
--registry | Docker registry to pull images from |
--restrict-dashboard-privileges | Restrict the Linkerd Dashboard’s default privileges to disallow Tap and Check |
--skip-inbound-ports | Ports and/or port ranges (inclusive) that should skip the proxy and send directly to the application |
--skip-outbound-ports | Outbound ports and/or port ranges (inclusive) that should skip the proxy |